bypass of MFA for Admin portals
Hello, I have a conditional access policy that bypasses MFA for custom enterprise apps when working from our trusted IPs. Since this policy is working as designed and expected, I thought it would be a simple matter to add the admin portal apps to it so sites like portal.azure.com are also bypassed. But for some reason it doesn't work even though sign-in logs reflect that the password only policy is indeed being applied to the sign in. Is there something additional I need to do? Are admin portals hardcoded for MFA? I have included some screenshots of the policy and logs for review. Thanks,
Application Gateway, Geo-blocking, not working
Hello We've found a possible bug where we apply a FW policy with our WAF_v2 enabled Application Gateway instance. We have compliance demands where certain regions should not be allowed, this is applied by a custom rule with Geo-matching, blocking on remote addresses. According to all existing documentation, we have the correct set up and we can see that some regions are blocked - but not all. How do I come in contact with the AppGW / FW team? How can we highlight this and get some help? We can't really report this on a public forum like this. We need to get in touch with someone on the Microsoft side. Thankful for any response Niklas
Paste Link or Embed Object an encrypted/protected document (Sensitivity Label) causes error.
We are using Microsoft Purview's Built-In Labeling and have defined sensitivity labels. We are noticing that if the excel (or word) document is encrypted/protected with sensitivity labels, they can not be paste linked or embedded into another document (PowerPoint, etc). 2 Behaviors outlined: 1) Insert -> Object -> Create From File will produce an error : Files with restricted permission cannot be inserted into this presentation or 2) If you attempt to paste link to encrypted document (ex. excel), the option to paste link to Microsoft Excel Worksheet Object is missing. The only option is a hyperlink. A nuance - in a situation where excel was not labeled and paste linked into a PowerPoint, if the excel was later encrypted/protected, the link stays in place. That is, if you update the excel, it will update Power point (example) The error seems to only occur if the excel is encrypted/protected prior to be paste linked. Has anyone experienced this and is there a fix?
AIP padlock icon missing in encrypted message
Hi, I have enabled AIP in my tenant along with sensitivity labels and encryption. I can send encrypted messages succesfully however the secure message - which contains a padlock icon referring to a microsoft website - is broken and fails to load. I’ve viewed the source of the message and tried to load the image in my browser. The image failed to load and I believe the image location is not valid anymore. Could you please validate and provide a fix so that the padlock icon loads successfully? Currently the secure message looks like a phishing email and will probably be treated as such.
Service Trust Portal no longer support Microsoft Account (MSA) access
Dear all, We need to access certain documents (i.e., SOC 2 or ISO 27xxx) on the Service Trust Portal. To download documents you need to be signed in first. However, when I click on "sign in" (using the same email/account as for our azure account) I get the error message "Service Trust Portal no longer support Microsoft Account (MSA) access." (see screenshot below). It seems that I am not the only one since other users had similar issues but they also could not find a solution (or at least it was not mentioned in their post): https://techcommunity.microsoft.com/t5/security-compliance-and-identity/cannot-login-to-service-trust-portal/m-p/3632978 I have been trying this now since more than a week and also created a support ticket (which has not been assigned to a support agent yet). It is quite cumbersome and I hope some of you could have an idea since getting these documents is quite crucial for us.[Solved] Allow PIN support for Windows 10 devices
I want to allow my Windows 10 1909 (Hyper-V VM) to be able to use PIN for sign ins. I have created a non-administrator account and joined my VM during Windows installation to the AAD from the start. I also configured this for PIN policy in Windows 10 in Azure portal - Intune I created a group in Intune and put my VM device + User into that. then I assigned this profile that I created for PIN to that group. added my administrator user as the group owner. I've also read this article: https://support.microsoft.com/en-us/help/3201940/can-t-configure-a-pin-when-convenience-pin-and-hello-for-business-poli still, in my Windows 10 account settings, there is no sign of PIN. i've waited 2 hours, synced my device from AAD portal and also from Windows settings to receive the latest policies. still nothing. I'm running out of clues that why this is not working. any ideas? Thanks in advanceUpdate App Registration Client Secret Using Microsoft Graph REST API v1.0
Hello, I have a customer who wants to set the App registration Client Secret to 1 year. Here are the customer's requirements: For existing application registrations under ‘Certificates & Secrets’ pane, any new secrets added by owners should have the duration limited to one year. If the owner tries to set the duration greater than one year and clicks ‘Add’ button, the action should not be allowed with proper error displayed. The same behavior should also be applicable to new application registration specific secrets. It should not impact any existing secret that is present (greater or less than one year) for current application registrations. We need a way to enable and disable the global policy in case we want to disable it if something doesn’t work as expected. We don’t want to impact anything else wrt application registrations or anything in service principles. Based on the article you shared; Microsoft Entra application management policy API overview - Microsoft Graph v1.0 | Microsoft Learn Below is the script we are trying to use to add the global policy and set as default policy with isEnabled = true. As we cannot test in a different tenant, can you please confirm the snippet below will work for the above requirements? MgPolicyAppManagementPolicy | select * $policy = @{ "displayName" = "Enforce Max Lifetime for Secrets" "description" = "Policy to enforce a maximum lifetime of 1 year for any new secrets." "applicationRestrictions" = @{ "passwordCredentials" = @{ "maxLifetime" = "P365D" # ISO 8601 duration format for 1 year } } } New-MgPolicyAppManagementPolicy -BodyParameter $policy Update-MgPolicyDefaultAppManagementPolicy -id <ABOVE_POLICY_ID -IsEnabled $true I tried to test it in my own tenant, but I ran to a permission issue. Can someone please confirm if this snippet works against the customer's requirements? Thanks.Former Employer Abuse
My former employer, Albert Williams, president of American Security Force Inc., keeps adding my outlook accounts, computers and mobile devices to the company's azure cloud even though I left the company more than a year ago. What can I do to remove myself from his grip? Does Microsoft have a solution against abusive employers?
